Let's Not Assume All Breaches Are The Same

In the way it was presented, the recent revelation from Marriott International that user data was compromised by an unknown threat appears no different to all the other 'disturbingly ordinary' breaches that have occurred over the past few years. In most cases, the headlines will toss out a dramatic number of affected individuals and amounts of stolen information described by sweepingly generic impressions of the data lost. This is all capped off with assurances that the affected organization is working with law enforcement, promises of cybersecurity improvements, and offers of free identity theft monitoring in an attempt to regain public trust.

At this point of breach news saturation, most people confuse all the breaches, the data lost, and the sources for those breaches. Honestly, it has gotten exhaustive – every single week there is a significant breach and frankly, it’s the tip of the iceberg. Many more breaches go completely unnoticed until fraud begins. This brings us to an important question, what happens if the data lost is not used for fraud?

First, let’s understand how criminals use stolen information for money. Normal criminal activity is centered around money, pure and simple. Any data that can facilitate the extraction of money or increase the yield of a fraud scheme is sought by criminals. Typically, this Personal Data (PD) is used to verify the identity of a person, sometimes even through telephonic confirmation – the highest threshold beyond showing up in person. The simplest form of this is knowing the credit card number and CVV, and the next escalation is a mailing address. More advanced fraud, such as assuming a person’s identity, starts with name and address, then expands from there. This type of fraud is referred to as a form of synthetic fraud – it’s the creation of accounts using the person’s PD sprinkling in false information to fill in the gaps and facilitate fraud. Most online related fraud, on the other hand, is account take-over style, the criminal steals legitimate account information and uses it as if they were the victim, which is much quicker, but the yield is much lower. Having said that, it is also more plentiful and easily monetized.

However, fraud is not the only motivation for a security breach. Another very important data breach motive is industrial espionage. This is usually not related to PD so the breaches often go unreported. Instead, industrial espionage involves the theft of intellectual property and business communications, either by government organizations or hacking teams used by questionable businesses. While this type of breach generally has no direct impact on the consumer, the long-term consequences almost always trickle down to the user in the form of loss of services or increased costs.

This brings us to the other use of stolen information: governmental espionage. This is not the fun money and trade secrets stealing type, instead, it’s the things we typically only get to see in movies. The Office of Professional Management (OPM) breach, for example, was solely conducted for government intelligence purposes. This breach included the crippling loss of all the personal information for everyone who had submitted for a US Military Top Secret security clearance. The value of this information to an adversarial intelligence organization is absolutely staggering. From this, an adversary could gain insights into a large portion of the US intelligence organizations’ structure, both identifying US intelligence agents and their support elements. Moreover, the breached data can also be used to identify and assess individuals for espionage recruitment (i.e. identifying personal and financial vulnerabilities used in blackmail) throughout every organization in the US Department of Defense.

This leads us back to the Marriott breach. Lost in the splash of big numbers associated with the Marriott breach is the real value of the data; not for fraud, but for pure counterintelligence use. I predict that this breach won’t have an impact on the end consumer but is likely to already have had a significant and lasting impact on national security efforts (i.e. technical research, economic strategies, espionage operations, and counterintelligence activities).

The framework of the Marriott breach looks like this: someone gained access to the internal databases and executed a full and complete extraction of user data. This took place over years, it was not a single occurrence, which is a slight deviation from “normal” breaches. As the investigation progressed more information came out – the technical techniques and methodologies used matched a known problem group that has plagued many companies throughout the world – Chinese intelligence. A similarly foolish breach just under 10 years ago led to the large-scale enumeration of the CIA’s source operations resulting in the tragic loss (death) of all the CIA's Chinese sources.

It’s not a coincidence that the OPM breach and the Marriott breach occurred during the same time frame. Coupled with the identification of potential US intelligence agents – and monitored and correlated over time – the large hotel data set allows an adversary to establish travel patterns and predict their travel and operations to match, thus placing their missions (and their lives) at jeopardy. As an aside, the 'misuse' of LinkedIn information recently by Chinese organizations can augment or further enumerate intelligence targets. This leaves intelligence organizations scrambling to verify the integrity of their source operations, not knowing who if any have been compromised, and if they are, sifting through data to determine what is misinformation and what is not.

On the offensive side, the Chinese intelligence organizations could use the OPM breach data to identify people who have exploitable vulnerabilities (not the cyber kind but the personality type) and then couple that information with their travel information, allowing the adversary to hand place agents and greatly improve the recruitment process.

With more than 4.3 million individuals holding a US security clearance and the time (sometimes decades) required to develop and conduct intelligence operations, it is wildly unrealistic to simply change staff or operations. Thus, we are faced with the reality of extremely sensitive operations, plans, and research as well as millions of people, their families, and associates being analyzed by foreign intelligence adversaries. Not all breaches are the same, some cannot be washed away by a promise for more security and a full year’s worth of credit monitoring.

I am a former Counterintelligence Special Agent recognized as one of the foremost experts in cyber-terrorism. During my time assigned to Special Forces, I helped to establish military doctrine on Human Intelligence Collection support to special operations. I went on to mana...